AES-Rijndael with ActionScript and ASP.Net

Cristian Merighi (Friday, March 2, 2007)

An useful example about how to pass encrypted data between a Flash object and a server side application developed with .Net technology using the Rijndael/AES algorithm.

This article is obsolete. Some functionalities might not work anymore. Comments are disabled.

In these days I'm working on an online application which consists in a flash game and a related managed skill contest whose final result is a standing with the ten top scorers.
These ten top scorers will receive a very nice prize as the contest will be over...

One of the most asked, requested, wanted among the features for this application was security! (ok, I know, that's a basis, but in this case more than usual because of the prize money)

The crucial point of weakness in this application is the passing of data between the flash game (client side) and the application logic (server side).
We wanted to avoid that malicious users coould sniff, post, force data so that they could fix the standings.

The answer to this request pointed to data encryption!

We know it is impossible to avoid that a user grabs its own http data, but we want to assure he cannot read it in order to reproduce fake posts.
The .Net Framework is pretty rich in encryption API's (and with the future versions it will be even richer, take a look at what's coming with the next Orcas CTP), but tha ActionScript APIs lack in it...
Thanks to Mika Palmu who has built up a very useful package of ActionScript 2.0 classes focused on cryptography, we can accomplish the mission with relative ease...

Here's a working swf to summarize the workflow:

Here's the core ActionScript used in order to encrypt the input string:

var aesMode:String = "ECB";
var aesKey:String = "01230123012390129012901A"; // equal key server side
var aes:it.pacem.Rijndael = new it.pacem.Rijndael(192, 128);
cipher_txt.text = aes.encrypt(plain_txt.text, aesKey, aesMode);

Here's the core C# used in order to decrypt the cipher text:

MemoryStream msDecrypt = null;
CryptoStream csDecrypt = null;
StreamReader srDecrypt = null;

System.Security.Cryptography.RijndaelManaged aesAlg = null;

string plaintext = null;

try
{
    // Create a RijndaelManaged object
    // with the specified key (IV parameter is obmitted because of ECB CipherMode).
    aesAlg = new System.Security.Cryptography.RijndaelManaged();
    aesAlg.Key = "01230123012390129012901A";
    aesAlg.Mode = CipherMode.ECB;
    // set PaddingMode.Zeros in order to use the same padding mode as in flash actionscript class
    aesAlg.Padding = PaddingMode.Zeros;

    // Create a decrytor to perform the stream transform.
    ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);

    // Create the streams used for decryption.
    msDecrypt = new MemoryStream(cipherText);
    csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read);
    srDecrypt = new StreamReader(csDecrypt);

    // Read the decrypted bytes from the decrypting stream
    // and place them in a string.
    plaintext = srDecrypt.ReadToEnd();
}
finally
{
    // Clean things up.
    // Close the streams.
    if (srDecrypt != null)
        srDecrypt.Close();
    if (csDecrypt != null)
        csDecrypt.Close();
    if (msDecrypt != null)
        msDecrypt.Close();

    // Clear the RijndaelManaged object.
    if (aesAlg != null)
        aesAlg.Clear();
}

For the specifications about the Rijndael/AES Algorithm please refer to the official AES Standard (FIPS PUB 197) and to the System.Security.Cryptography.RijndaelManaged MSDN reference.

« download AES Standard (FIPS PUB 197) in PDF format

« download code

Take care. Bye.

Feedbacks

Re: AES-Rijndael with ActionScript and ASP.Net
zuppaman Saturday, March 10, 2007
Thx for this very nice sample !
Re: AES-Rijndael with ActionScript and ASP.Net
CMerighi Saturday, March 10, 2007
You're welcome, Zuppaman. Glad to see that you appreciate it...
Re: AES-Rijndael with ActionScript and ASP.Net
Kees Tuesday, March 13, 2007
Great example! thanks
Re: AES-Rijndael with ActionScript and ASP.Net
jake Tuesday, March 4, 2008
hi, i am a student from Singapore. i am currently working on a sch project that involves flash lite application which need to use AES encryption. but after looking at your example, i am still pretty much confused. basically i have a AES Key - 16byte, and a string of data. how do i go about doing the encryption? can you advise?
Re: AES-Rijndael with ActionScript and ASP.Net
CMerighi Wednesday, March 5, 2008
Hi Jake, I guess the downloadable example is pretty straightforward, you can anyway send your perplexities to my email address: cristian(at)pacem(dot)it. I'll try - I'll be out til next week - to answer as soon as possible.
Re: AES-Rijndael with ActionScript and ASP.Net
xenonii Saturday, March 15, 2008
If you put the key in the SWF, it is still unsecure i think, since they can decompile the SWF and read the key. Is there a solution for this?
Re: AES-Rijndael with ActionScript and ASP.Net
CMerighi Saturday, March 15, 2008
You're right Xenonii and this is a good question, clientside stuff is always risky. In the specific case mentioned at the beginning of this article, I've been flushing to the client several different swf's binaries, with different embedded keys (using ashx file). Each single user never faced the same swf more than once. That way even an hyper-malicious user couldn't repeat the same request to the server twice, the swf itself wasn't cached in the temporary internet files storage and hence unretrievable. The encryption was only one of the expedients used in that scenario.
Re: AES-Rijndael with ActionScript and ASP.Net
Shiv Sunday, March 16, 2008
Ok, So I use this code but when decrypting on the server side, I get junk. I've used the cipher text that your client produces on this page as well as one I've made in Flex Builder 3 using the code you show. Chritian, This is exactly what I'm looking for. An ActionScript and C# example. Thank you! However, I'm not able to get this to work on the C# end. I use the cipher text the client on this page produces. I take that cipher text and use it in the C3 code you've shown. The result of junk. I've build my own client in FlexBuilder 3. The cipher text it produces (using the same key) is different from what your client produces. Attempting to decrypt this cipher text using the C3 code you're provided again results in junk. Note: The C# code you show in this page is not compilable. The Key property is a byte[] so I use Encoding.Utf8.GetBytes() to convery the string key to a byte[]. I do the same for the cipher text (Which also need to be a byte[]. Even though I use the same key you have here. My cipher text is different from the one your client produces.
Re: AES-Rijndael with ActionScript and ASP.Net
CMerighi Monday, March 17, 2008
Hi Shiv, did you take a look to the code provided at the bottom of the article? There you'll find the fully working bunch of files used for the example above (C# .ashx + .fla + .as). Of course the extract of C# code printed on the page won't compile: it's just an extract. Take a look at the full code inside the .ashx file. There you'll see I've been using Ascii encoding to translate the cipher text (coming from the flash request) into cipher byte[], then I passed it all to a RijndaelManaged instance. Bye!
Re: AES-Rijndael with ActionScript and ASP.Net
Terry Monday, June 23, 2008
Cristian, Thanks for posting this article - it was a big help in a current project. I did run into one strange problem, though, which also appears in your sample code: when calling decryptStringFromBytes_AES()to decrypt the string sent from Flash, the decrypted string contains a bunch of null characters appended to it. The workaround I used is to strip them out in a while loop before storing them in a database.
Re: AES-Rijndael with ActionScript and ASP.Net
Andrzej P. Wednesday, August 13, 2008
Great example !
Re: AES-Rijndael with ActionScript and ASP.Net
Selim Tuesday, September 23, 2008
I like your script. I want to use it but i have a problem. I convert it to vb.net. It works correctly.But at the .aspx page variable always return with a few white spaces(blanks) at the end. Like this: "test ". So i couldnt equal it some other variable. I try everything i know(RTrim, replace, Cstr). But i couldnt remove those white spaces from code. Any idea??
Re: AES-Rijndael with ActionScript and ASP.Net
CMerighi Wednesday, September 24, 2008
Hi Selim, it's an intrinsic issue that relies upon the <a href="http://msdn.microsoft.com/en-us/library/system.security.cryptography.paddingmode.aspx" target="_blank">PaddingMode</a> that's been used. See the post from Terry (few lines above)...
Re: AES-Rijndael with ActionScript and ASP.Net
Rao Monday, October 20, 2008
Great example. ThanX
Re: AES-Rijndael with ActionScript and ASP.Net
John Friday, October 31, 2008
Thanks for this example, I'm wondering how would I encrypt the data going from aps.net to actionscript.
Re: AES-Rijndael with ActionScript and ASP.Net
John Friday, October 31, 2008
Actually I fixed my problem, I wasn't setting the padding or the CipherMode. Caused all sorts of crazy errors.
Re: AES-Rijndael with ActionScript and ASP.Net
Parag Tuesday, November 4, 2008
Good example... I had searching on net for a similar code.
Re: AES-Rijndael with ActionScript and ASP.Net
Keith Wednesday, November 19, 2008
Hi, I'm trying to encrypt a string in the flash which contains spanish characters such as áéí. When I decrypt it in the aspx, those characters appear as funny characters. I believe this is caused by the fact that Rijndael.as is using ASCII encoding, how can this be changed to use UTF-8 encoding? Thanks!
Re: AES-Rijndael with ActionScript and ASP.Net
matute Tuesday, February 17, 2009
'bout the whitespaces issue, try replacing the "\0" with "". str.replace("\0","") it's quite easier (and faster) than using a loop cheers
Re: AES-Rijndael with ActionScript and ASP.Net
Gerry Saturday, February 21, 2009
How would you do the reverse, please provide sample code of encypting text on the server and decypt in flash file. Thanks. Get sample just does not cover both senorio's
Re: AES-Rijndael with ActionScript and ASP.Net
Enrique Friday, March 6, 2009
Thank You Very Much, it was very useful...
Re: AES-Rijndael with ActionScript and ASP.Net
CuneyQ Wednesday, March 18, 2009
it was ver useful, thank you. is there c# codes for encrypt ?!?
Re: AES-Rijndael with ActionScript and ASP.Net
Navagon Monday, March 30, 2009
Great work. Regarding the key imbedding, I would use a an asymmetric (public/private) key pair. Embed the public key and keep the private on the server. This will ensure the message can only be decrypted at the server
Re: AES-Rijndael with ActionScript and ASP.Net
Mike Thursday, July 30, 2009
Hello, that's a great example thank you. But I have a problem to use this source code with this php classes. The result is just good with only 16 characters. I really don't know why... http://www.phpclasses.org/browse/package/4238.html Someone can help ?
Re: AES-Rijndael with ActionScript and ASP.Net
Alex Kleshchevnikov Tuesday, September 22, 2009
Is there an example of encrypt in C# and decrypt in actionscript?
Re: AES-Rijndael with ActionScript and ASP.Net
yil Wednesday, December 9, 2009
great topic tanks alot
Re: AES-Rijndael with ActionScript and ASP.Net
Hi all Thursday, December 17, 2009
anyone can help me decrypt it on PHP code. thanks.
can not encrypt chinese word.
Malcom Monday, January 18, 2010
Hi, If I encrypt a chinese word(two bytes) and decrypt it. I got different result. Can it resolve ? Thanks.
Re: AES-Rijndael with ActionScript and ASP.Net
Josh Friday, July 2, 2010
I got this working great... but there are a few issues 1) Every decrypted message has "0\0\0\0\0\0\" on the end 2) It mistakes " for 3) It also incorrectly decrypts \ as \ Any clue on how to fix?